Blog

Merriam Webster defines expropriation as “the action of the state in taking or modifying the property rights of an individual in the exercise of its sovereignty.”[1] The Third Restatement of Foreign Relations Law of the US states that

A state is responsible under international law for injury resulting from:

(1) a taking by the state of the property of a national of another state that

(a) is not for a public purpose, or

(b) is discriminatory, or

(c) is not accompanied by provision for just compensation;

For compensation to be just under this Subsection, it must, in the absence of exceptional circumstances, be in an amount equivalent to the value of the property taken and be paid at the time of taking, or within a reasonable time thereafter with interest from the date of taking, and in a form economically usable by the foreign national.[2]

What are the implications of this in cyberspace? In late April 2018, news broke that an American citizen born in France is suing the French government for “cyber-squatting” and “reverse domain-name hijacking”.[3] This case stems from Jean-Noël Frydman’s ownership of the France.com domain name since 1994, which he claims France illegally seized from him. Frydman had used this domain as an online portal for American Francophiles and worked with French diplomats in the US and the French Foreign Ministry, claiming the French government named him a “leader in the tourism industry.”

Frydman lost control of France.com in March 2018, when the domain name’s registrar, Web.com, transferred France.com to the French Foreign Ministry. This was the result of a lawsuit in France where the French government sought to take control of France.com, succeeding in 2017 when an appeals court ruled that this domain name was in violation of French trademark law.[4] Now, Frydman is suing the French Foreign Minister, France, and an official tourism site, in a federal lawsuit in Virginia. He wishes to recover France.com and claims that he was not notified by the French government or the domain registrar that he would lose this domain name.[5] Complicating matters, France.com has now been shifted the French registrar OVH from the American Web.com.[6] Web.com, when questioned by The Verge, did not reply as to its policy on court ordered transfers.[7] Indeed, Frydman claims to be one of Web.com’s first customers, which shows that securing one’s property interests in a domain name can be impossible to guarantee.[8]

Such governmental action is not without precedent in the EU. Indeed, as part of its efforts to stifle Catalan separatism, the Spanish Police raided the offices of the administrators of the .cat domain, seizing its computers.[9] Somewhat ironically given that France has now emulated Spain, in January 2018, the UK and France “said they would ‘make sure users can access websites without internet service providers favoring or blocking particular sites.’”[10] However, other countries have not behaved this way yet towards such domains. USA.com, Canada.com, and Germany.com remain privately operated and Japan.com is based in Hong Kong, and like France.com, is a tourist site.[11]

Before going into the present US federal lawsuit, some historical background is needed. Frydman retained the services of Harvard Law School’s Cyberlaw Clinic, who, exactly two years ago, wrote to Web.com to demand that they unlock France.com. Web.com had locked it without being ordered to do so.[12] In September 2017, the Court of Appeals of Paris confirmed that Frydman has to transfer France.com to the French state.[13] In November 2017, counsel for France wrote to Network Solution LLC informing them of the court’s order to transfer France.com to France from Frydman.[14] All of this goes to show that Frydman has been actively defending himself from the French government’s expropriation of his domain name, and has retained representation both in the US and France.

Given that Frydman has maintained a travel website for over twenty years on France.com, and even cooperated with the French government, he was never a cybersquatter. Therefore, this would fail as an actionable allegation under ICANN’s Uniform Domain-Name Dispute-Resolution Policy.[15], [16] It's quite clear that Frydman had a legitimate tourism business on France.com, and according to the US federal lawsuit, the French government did not make an effort to buy or license the domain.[17]

Frydman sees what happened to him as an expropriation.[18] He filed a complaint with the US District Court of the Eastern District of Virginia on April 19, 2018. The Plaintiff is France.com, Inc. and the defendants are the French Republic, Atout France, the Ministry for Europe and Foreign Affairs, Minister Jean-Yves Le Drian, france.com, and Verisign, Inc.[19] Frydman aim in this case is to get France.com back, as well as to be awarded damages. There are over 27,000 domain names that begin with the word “France,” according to Blackstone Law Group’s proprietary software, OMNI.

*Daniel Schwalbe (Fordham Law School, Class of 2019) is a research associate at Blackstone Law Group. He is interested in cybersecurity and IP law.

Quoted in an article by SC Magazine concerning the State Department’s silence on matters of global privacy and cybersecurity practices, Alexander Urbelis opined that his silence is “hardly surprising” given the inconsistent messaging from the administration, executive, and legislative components of federal and state government.

Going further, Urbelis stated that “If State takes a laudatory position on the UN resolution that offline human rights should be similarly protected online, then State is implicitly endorsing the work of digital rights activists, which could be seen to be at loggerheads with the administration's position on whistleblowers.”

The DHS Intelligence Unit was scalded by an Inspector General report for lack business continuity and disaster recovery planning. Alexander Urbelis was quoted by SC Magazine in an article addressing these failures, plans for improving business continuity preparedness, and the reasons for the major backlog of DHS Freedom of Information Act requests.

As a correspondent for the Oxford Martin Cybersecurity Capacity Portal, Alexander Urbelis published an article on impact on corporate defenses that the debate over encryption regulation and legislation is likely to have.

Blackstone Law Group will also be speaking about this topic later this week at the Inside the Dark Web conference in New York City. Please contact us if you would like to attend the conference as our guest.

On 12 May 2016, at the ‘Inside the Dark Web’ conference held in New York, Black Chambers will weigh in on the long-lasting and largely undiscussed implications of the ongoing legal battles over encryption.

Taking center stage at the debate over whether encryption should be regulated on the device level, was the federal court repartee between the FBI and Apple. Much has been said about the merits of the arguments on both sides, but little has been discussed about the long-term unintentional consequence of weakening corporate defenses to malicious activity ongoing on the dark web. Our panel will address three components of this direct collision of law and information security.

First, we will first address the disposition of the FBI v. Apple legal battle. Two of our panel participants were intimately involved in the legal battle between 2600 Magazine and the MPAA (Universal Studios v. Reimerdes), being cited for the somewhat shaky proposition that source code should be protected by the First Amendment.

Second, our talk will delve into the often-overlooked State legislation that proposes to regulate encryption on mobile devices and elsewhere and the status of the UK's Investigatory Powers Bill. The focus on this portion will be on the breadth of the legislation, and possible negative effects on corporate security.

Finally, options for securing and protecting data using existing encryption products and services will be explored. Whether the FBI v. Apple legal battle and whether State or international legislation will impact such services will be assessed. Critically, however, this portion will focus on the policies and practices of cloud service providers, and the best options for a company to legally secure its own data, both from the prying eyes of malicious actors and from governmental or regulatory overreach.

Black Chambers, together with the Blackstone Law Group, spoke about the ongoing battle between ISPs and copyright holders at the first annual BloomCon Digital Forensics Conference held at Bloomsburg University on 5 February 2016.

Focusing on the landmark decision coming out of the US District Court for the Eastern District of Virginia between Cox Communications and BMG Rights Management, Black Chambers discussed the information security and legal implications of the decision and jury verdict that removed DMCA immunity from Cox Communications and held them accountable for the copyright infringing activities of their customer case to the tune of 25,000,000 USD.

Stepping through the legal reasoning of the decision to remove DMCA immunity from Cox, Black Chambers provided a detailed account and analysis of the internal Cox e-mails that articulated sham “under the table” DMCA compliance policies designed to “collect a few extra weeks of payment” that were directly attributable to Cox’s loss. A clear takeaway was that had these legal DMCA compliance discussions occurred with an attorney – i.e., within the zone of protection of the attorney-client privilege – the damaging e-mails that led to Cox’s loss would not have been made public, and Cox would have very likely prevailed.

Going further, Black Chambers and Blackstone Law Group discussed the information security and compliance issues facing communications carriers resulting from this decision, the effects of enhanced DMCA accountability and user monitoring, and the anti-forensic countermeasures expected to be employed to stymie such efforts.

For a copy of our slide deck and presentation, or to speak further about this issue, please contact us.

The Consumer Fraud Protection Bureau issued its first enforcement action for misrepresenting data security practices. In the simplest terms possible, the CFPB has made it clear that if companies are going to ‘talk the talk’ about data security practices, they also have to ‘walk the walk.’ In addition to a $100,000 fine, the CFPB ordered online payment systems operator Dwolla to take immediate steps to ramp up its security practices on many fronts.

Though hitherto never exercised in the data security context, the CFPB derives its authority to regulate from the Dodd-Frank Wall Street Reform and Consumer Protection Act. Dodd-Frank provides the CFPB power to take action against institutions engaged in “unfair, deceptive or abusive acts or practices.” Signalling data security practices are within their jurisdiction and in their sights, the CFPB’s scathing press release about Dwolla’s deceptive practices indicates further enforcement is sure to come.

Several facts make this action and especially interesting and relevant to data security planning and practices:

1. There was no data breach. Historically, any regulation or fine was a direct result of some form of breach, that leads a regulator to inquire about company practices. This is an enforcement action without any such pre-cursor, and means that any company with public-facing statements about data security practices can be subject to scrutiny.

2. Dwolla’s policies made explicit statements that their practices “exceed[ed]” or “surpass[ed]” industry data security practices, including PCI-DSS. On examination, Dwolla’s practices fell far short of anything even beginning to resemble sound data security practices, and included misrepresentations about the amount of data encrypted, security implemented, and transmission of sensitive data as clear text.

3. Dwolla management now has an ongoing reporting requirement to the CFPB for a period of five (5) years about its security practices and posture. It also established an affirmative obligation of the Dwolla Board of Directors to review all “plans, reports, programs, policies, and procedures,” before these documents are submitted to the CFPB. Obliging the Board is an overt demand for responsibility and accountability on CFPB’s part, and is likely to be part of any future enforcement action.

This is a blaring wake-up call to companies housing, collecting, or processing personal or financial data. In the words of the CFPB, “deception about security and security practices is illegal.” Review, revision, and auditing of security policies is a must.

Government regulation of data security is on the rise. And there is the possibility of regulatory scrutiny from multiple federal and state agencies with often overlapping and unclear jurisdictional boundaries.

These are necessary and sufficient reasons for a company’s data security practices and planning to be performed in a legally privileged context and overseen by experienced attorneys who are themselves information security professionals.

At Black Chambers, this is what we do and why we exist. Please e-mail This email address is being protected from spambots. You need JavaScript enabled to view it. for a consultation.

Sometimes the signal to noise ratio can unintentionally function as a security feature. In other words, if you are a needle hiding in a haystack, the hay protects and provides the cover of camouflage. E-Discovery turns this analogy on its head, which is why information security for law firms and e-Discovery vendors is a pressing and critical issue.

The very nature of the expansive disclosure obligations amongst parties to a litigation under US and UK law mean that vast quantities of data are going to be transferred between the players. The process by which this occurs is familiar to lawyers, especially younger associates who have been delegated the unenviable task of sifting through thousands of e-mails, documents, and reports to identify the very high-grade ore amongst the rubble dumped on their firm. As for the side doing the dumping, e-mails, documents, and reports which are considered trade secrets, privileged, or otherwise confidential and non-responsive have been tagged and culled, before the exchange of data.

In short, the hay has been sifted and all the needles identified.

If these needles are the digital equivalent of trade secrets, privileged communications, confidential business plans, or any other sort of data that should not make it way to the public domain, then perimeter security surrounding this data at rest should be – at a minimum – viewed as a best practice.

In an article published recently by Bloomberg BNA, Gabe Friedman makes several excellent recommendations for drafting protective orders that require a receiving party be responsible for reasonable information security practices when receiving and handling data during the discovery phase of a litigation.

Friedman recommends litigants should require their adversaries to do the following:

1. Sign a protective order attesting that the receiving law firm meets certain basic cybersecurity protocols and that it indemnifies the disclosing party company against any risk of breach;

2. Use a trusted e-Discovery vendor; or

3. If all else fails, the party must access the data through a separate trusted e-Discovery vendor.

These recommendations, however, raise several additional issues for law firms and litigants, especially in light of the alarming prediction that 80% of the top 100 law firms have already been compromised. Namely:

1. What are the basic cybersecurity protocols a law firm should apply as a matter of best practices?

2. Are law firm practices case-specific, meaning do some matters require additional information security precautions than others; and if so, which?

3. What is a trusted e-Discovery vendor, and what are the e-Discovery best practices designed to enhance information security?

Add to this the complex issue of auditing the security of your adversary or e-Discovery vendor and you have a hydra-like combination of information security, law, compliance, and judicial economy. And with information security concerns on the rise for litigants and firms alike, these issues are sure to be raised frequently and fervently.

These mixed questions of law and security are the reason why Black Chambers exists. We are here to help establish best information security practices for your firm, and will be there if your organization needs to find a trusted e-Discovery vendor, or audit your adversary.

The San Francisco Chronicle interviewed and quoted Black Chambers CEO, Alexander Urbelis, about a the fallout from a controversial injunction ordered against German security research firm, ERNW, days before they were to detail vulnerabilities in FireEye's popular malware detection boxes at 44CON in London.

The injunction from a German court essentially functioned as a gag order and required censorship of major portions of the proposed presentation. In the article, Alexander Urbelis discussed the validity of the injunction and the reasons why this type of heavy-handed use of legal process does not sit well with the InfoSec community.

Addressing novel legal theories to combat revenge porn and the technical means available to reduce the risk explicit photos are retained and shared, Black Chambers CEO, Alexander Urbelis, recently published in article in the NY State Bar Association publication 'Perspectives' entitled, 'The (Il)legalities and Practicalities of Revenge Porn.'

If you watch the The Newsroom, youmay recall the Season 2 horror, when comely business news anchor, SloanSabbith, suddenly realizes that salacious photos of her have been posted on a “revenge porn” site, and were trending on social media.1 Fiction aside, revenge porn, “or sexually explicit media that is publicly shared online without the consent of the pictured individual,”2 is a real world problem and becoming increasingly common. The law is reacting, but as is often the case with novel, tech-driven wrongs, most le- gal redress is cumbersome, ill-fitting, and insufficient.

There are, however, novel legal theories to combat revenge pornat the federal level, and criminal statutes—though of questionable efficacy—at the state level. And, as a practical matter, if a person does share intimate photos, there are technical measures to reduce the likelihood they will remain in another’s possession or subject to misuse.

Revenge Porn and the Law at the Federal Level

A particularly heinous instance of revenge porn involving a current law student has found its way into the U.S. District Court for the Central District of California. Filed by attorneys from K&L Gates, appearing pro bono on behalf of a pseudonymous plaintiff, the complaint alleges that the victim’s ex-boyfriend posted sexually explicit material to revenge porn websites, then contacted the victim’s friends and colleagues to provide direct links to the obscene material.3

This unique federal litigation, seeking injunctive relief and dam- ages, relies on copyright law for jurisdiction. The theory is that since the victim created the images, it is she who owns their copyright. The ex-boyfriend, by posting the images without her consent, is violating the Copyright Act of 1976, entitling the victim to injunctive relief.

There is, however, a major hitch to this approach: relying on copy- right law requires that the explicit images be registered with the U.S. Copyright Office. This process is not only cumbersome, but unrealistic and painful for the victim. What is more, assuming the injunction is effective as to the ex-boyfriend, no legal relief can prevent further dissemination of the images. A court can grant relief only regarding a single defendant, and cannot enjoin down- stream websites from displaying or transferring the offending images,or prevent search engines, such as Google, from displaying disparaging search results that point to these sites.

Another legal tactic, combating revenge porn with Digital Millennium Copyright Act (DMCA) take- down requests, has sometimes had the opposite of the intended effect. Websites have displayed takedown requests with pride to draw more attention (and clicks) to the offending material. The obvious intent behind this brazen disregard is to discourage future DMCA requests, and it is likely that this audacious tactic is effective.

In sum, copyright law may in- deed provide a partial remedy for some patient victims willing to jump through the hoops required of the U.S. Copyright Office, but it is hardly a silver bullet.

Criminalizing Revenge Porn

Defining revenge porn as a criminal act is the clearest signal that this conduct will not be tolerated. Only 13 states criminalize revenge porn, and, technically, New York is not one of them.4 On the international front, Israel was the first to pass a revenge porn statute and the U.K. the latest to tackle the issue.5 The mere existence of such laws may be a powerful deterrent. But there are practical considerations for successful prosecutions, and the possibility of foreseeable but unintentional consequences on several fronts.

Chief among practicalities, the law must fit the crime. In New York, the first prosecution of revenge porn failed, largely because existing laws did not reach this sort of conduct.6 Harassment was not an option be- cause the material was not sent to the victim herself; unlawful surveillance was inapplicable because the images were created consensually; and the display of offensive materials was similarly inconsonant because nudity is not, per se, offensive.

Responding to this and other failed prosecutions, on 1 November 2014, an amended version of New York’s unlawful surveillance statute went into effect, criminalizing the recording or broadcast of images of the sexual or private parts of another which are created without consent.7 Critics have argued that this amendment does not go far enough to protect victims. As a matter of fit, the law is still not a revenge porn statute—it is a re-engineered version of a peeping tom law. As such, the statute does not extend to sexual material created by mutual consent but distributed without the consent of the victim.

Carrie Goldberg, a board member of the Cyber Civil Rights Initiative, who is active in its ‘End Revenge Porn’ campaign, notes that: “In New York it’s criminal to share credit card numbers8 and pirated music,9 yet we have no such protections for the far more personal and devastating distribution of private sexual pictures.” Legislation10 introduced by New York Assemblyman Edward Braunstein would change this, and, according to Goldberg, protect victims regardless of the motive of the distributor, “whether for revenge, entertainment, money, ‘lulz,’ or no reason at all.”11

Another practical reason prosecutions fail is for a lack of resources. Revenge porn is a fast-moving, cross-border offense that occurs on several different technological plat- forms: cameras, smart phones, and web servers. Most local law enforcement and prosecutors do not have the financial, technical, or human resources to track and collect transient forensic evidence across several jurisdictions.

Disappearing Evidence and False Flags

A clear-cut case would look like this: a victim is notified of offending material that can be traced back to an image sent to an ex-boyfriend. The mobile device of that ex-boyfriend contains the image distributed with- out consent, and distribution can be traced to his IP address and his mobile device. Prosecutions, however, are rarely so straightforward.

The first stumbling block is the image itself. If neither the victim nor the ex-boyfriend have a record or copy of the image (perhaps both upgraded their devices or deleted old messages), then only their mobile carrier(s) will have a record of the initial transmission. Acquiring that data is time-consuming and resource-intensive.

But assuming no problem with the above, the next evidentiary hurdle is proof of distribution. Some exes may be so incensed as to throw caution to the wind, but a thoughtful offender would use a new device and public wi-fi for distribution. Technically astute offenders would use a throwaway device and a virtual private network (VPN), to make it seem as if the distribution originated from China or Russia. Acquiring logs and connection data from a foreign VPN provider (if such records are even kept) is both a crapshoot and a herculean task.12 But in the prosecutorial context, if you combine this type of anti-forensic behavior with the fact that mobile devices are often lost or stolen, and add to that the prevalence of data breaches and malware, you have something that begins to look very much like reasonable doubt.

The best way to ensure images never make their way to revenge porn sites is obvious: do not create them. If, however, a person chooses to take and share intimate photos, there are technical measures that can decrease the likelihood of the image being retained and misused.

First: do not send intimate pictures through text message, iMessage, Whatsapp, or any other messaging platform that creates a continuous historical record of activity. Doing so makes it easy for a spurned lover to scroll backwards in time and find revealing photos exchanged during better times.

Second: if you do share private photos, use third-party messaging applications such as Wickr, Silent Circle, or Snapchat that “burn” images after a specified period of time. With these apps, it is possible to specify that the message or image remain with the recipient for as little as ten seconds. While this does not prevent screen captures of images, it does prevent a person from retrieving previously sent images. Further, apps such as Wickr and Snapchat make executing the screen capture function on an iPhone a more cumbersome process, reducing the likelihood that an image will be stored. Snapchat, by the far the most popular app for sharing intimate photos, alerts senders when an image has been screen captured.13

Third: if sharing is not the goal, do not use an Internet-enabled device to capture private moments. Recall the standalone digital camera, the long-forgotten device used to take pictures and nothing more. Placing several steps between yourself and transmission of a private photo will make it less likely to occur.

Fourth: do not back up intimate photos to a cloud. Many devices, including iPhones, are configured, by default, to keep photos in a cloud’s central repository. Weak passwords and angry exes are an awful combination, and the cloud is an all too easy target.

Fifth and finally: Though unsexy, keep a detailed log of images sent and to whom they are sent. If the relationship devolves into a revenge porn fiasco, those contemporaneous records could be critical to a successful prosecution when evidence from other sources is lacking.

* * *

Technology will always outpace legislation. It is, therefore, no surprise that the legal remedies avail- able to victims of revenge porn are inadequate. Federal remedies are slow, burdensome, expensive, and only partially effective. Criminalizing revenge porn is a strong statement, but also an imperfect solution be- cause of the under-inclusive nature of the proscribed conduct and the ease with which evidence can be destroyed and prosecution frustrated.

What is clear, however, is that victims of revenge porn are seriously and irreparably harmed. The elements and mechanics of criminal

statutes and the civil remedies avail- able require further consideration and study. Unless and until such a time, the best defense is a good of- fense. The more we understand the permanence of our digital footprints and the technical measures at our disposal to reduce them, the better able we, as users, are to avoid the problem of revenge porn altogether.

11. New York’s proposed revenge pornlaw establishes as the crime of non- consensual disclosure of sexually explicit images as a class A misdemeanor. The bill is available at http://bit. ly/1GuN3Sy.

12. TorGuard, a prominent VPN provider, advertises that it does not keep logs of activity associated with an IP address. Further, it notes that hundreds of users are using any server at any particular time, making attribution of activity nearly impossible. See, Do You Keep Any Log Files, TORGUARD, http://bit. ly/1B5UMlv.

13. A cottage industry of third party applications that surreptitiously capture Snapchat images has developed. However, in recent months, Snapchat has implemented more sophisticated alert measures to combat this. Nothing, however, would detect whether a separate device, such as a camera, was used to photograph the screen of the recipient’s phone while the image was displayed.

Alex Urbelis is a lawyer and hacker with over 20 years of experience with information security. He has worked for the U.S. Army, the Institute for Security Technology Studies at Dartmouth, the CIA, the U.S. Court of Appeals for the Armed Forces, Steptoe & Johnson, and as information security counsel and CCO of Compagnie Financière Richemont SA (Richemont). Alex holds a BA, summa cum laude,in Philosophy from Stony Brook University, a JD, magna cum laude, from Vermont Law School, and the BCL from New College, University of Oxford.

In the wake of the NY Times revelations about a longstanding partnership between the NSA and AT&T, Black Chambers CEO, Alexander Urbelis, published an op-ed on The Intercept arguing that there is nothing novel nor illegal about telecom and intelligence partnerships. As a matter of ethics, efficiency, and integrity, however, Urbelis argued for new limits and protections for the processing of foreigners' data within US borders.

There is something disquieting and unwholesome about telecoms feeding our communications to government agencies. It was headline news, again, last month when we learned that AT&T has had a longstanding partnership with the National Security Agency. Unfortunately, this form of private-public intelligence collusion is neither new nor, in my view, illegal. Whether it is immoral is an entirely separate question.

U.S. communications carriers first became partners in the intelligence game shortly after World War I. Diplomatic and military affairs transmitted via telegram to home countries were intercepted and decrypted by the Black Chamber, the NSA’s precursor. Obtaining telegrams then was eerily similar to how communications are obtained today: The government simply asked.

The Western Union Telegraph Company and the Postal Telegraph Company allowed intelligence officers to copy telegrams, and this partnership persisted in peacetime. In 1929, however, Secretary of State Henry Stimson defunded the Black Chamber. His concise, and seemingly naïve, rationalereportedly being: “Gentlemen do not read each other’s mail.”

World War II exigencies overruled Stimson’s moral objections and the United States resumed telegram interception. Starting in 1945, just after the end of the war, this interception widened, and Western Union, RCA, and ITT provided the government, via the NSA and its predecessors the Army Security Agency and the Armed Forces Security Agency, with paper tape, microfilm, and later magnetic tape copies of most international telegrams. This continued unabated for decades after the war and was known as Project SHAMROCK.

NSA shared this data with law enforcement, including the FBI and Secret Service. Project SHAMROCK, however, suffered from classic function creep, the gradual extension of a system beyond the purposes for which it was conceived. In the 1960s and 1970s, names of American citizens and organizations were added to watch lists. Anti-war activists, Martin Luther King Jr., Muhummad Ali, and Jane Fonda were among the nearly 1,700 U.S. individuals and organizations targeted for domestic surveillance. This was known as Project MINARET.

In the need to develop a capacity to know what potential enemies are doing, the United States government has perfected a technological capability that enables us to monitor the messages that go through the air. … That capability at any time could be turned around on the American people, and no American would have any privacy left. … There would be no place to hide.

The Foreign Intelligence Surveillance Act, codifying a warrant requirement with judicial oversight for electronic surveillance, with particularly strong protections for U.S. persons, was born of the eponymous Church Committee.

This was a philosophical shift in the perception of intelligence activities. Despite infringing privacy of U.S. residents — and undeniably going beyond the degree of intrusion at issue with the Black Chamber — there was no Stimson-like categorical condemnation of surveillance itself. Communications interception was a necessary evil to detect and deter existential threats to the United States. It was crucial, therefore, to safeguard U.S. persons from harm occasioned by this necessary evil.

Foreigners were viewed in a different light, with considerably less protection under FISA as it exists today. Foreigners’ communications have always been legitimate targets of collection, from the time of the Black Chamber and despite fallout from Projects SHAMROCK and MINARET. As an NSA presentation indicates, AT&T even withheld domestic communications before delivering anything to the NSA. The intelligence game in the United States has not changed in over 100 years, so what is the source of the outrage?

As a nation, we are uncomfortable with the morality of the degree (not kind) of intelligence collection that occurs as a result of secret partnerships. In the busiest of MINARET’s six years of operations, there were only 600 domestic and 6,000 foreign targets. Contrast that with the billions of emails flowing across the networks to which AT&T has provided the NSA access. It is the quantity, not the type, source, or method of collection, that produces visceral unease.

Linking this sense of unease to a chilling effect on freedom of speech and association, the ACLU and the Wikimedia Foundation, which runs Wikipedia, have sued to try and halt bulk collection of communications. Our federal courts, however, are not the proper forum. Legal standing and damages requirements mire the process in preliminary motions, and perhaps rightly so because, at root, the question of how surveillance is to be carried out in our names is more of an ethical and political question than a legal issue.

Stimson’s moral prescription that we should not “read each other’s mail” was anachronistic when uttered in 1929. It is ridiculous to suggest we halt foreign intelligence collection derived from U.S. telecoms. It is not outrageous, however, to expect our intelligence be derived more efficiently and fairly. Technologies used to exclude domestic communications can also be adapted to minimize foreigners’ data. Given the quantities of data collected daily, we must expect more to be done to prevent the same function creep that allowed SHAMROCK and MINARET to spiral out of control.

There is a perception that our infrastructure — critical to free expression and global commerce — is exploited and untrustworthy. Our moral compass, again, tells us that this is wrong: Privacy is a right that is universal and fundamental, which ought to apply to all.

Alexander J. Urbelis is a lawyer and self-described hacker with more than 20 years experience with information security. He has worked as a graduate fellow in the Office of General Counsel of the Central Intelligence Agency, as a law clerk at the U.S. Court of Appeals for the Armed Forces, and as an associate in the New York and the D.C. offices of Steptoe & Johnson. He is currently CEO of Black Chambers Inc., an infosec consulting company, and a partner in a law firm focused on infosec. Alex can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..